Secure network location awareness

US 8,806,565 B2
Filed: 09/12/2007
Issued: 08/12/2014
Est. Priority Date: 09/12/2007
Status: Active Grant

First Claim

Patent Images

1. A client system comprising:

one or more processors configured to generate a first nonce used as a first freshness indicator;

an output device circuitry configured to send a network request to an access node of a communications network, the access node being certified by a common root certification authority, the request containing the first nonce;

a memory configured to store network settings based on information received from at least one other access node different from the access node, the other access node having been certified and bound into one logical network location with the access node by the common root certification authority of the access nodes;

an input device circuitry configured to receive a signed message from the access node of the communications network, the signed message comprising a signature, a location identifier, a public key, and at least a second nonce used as second freshness indicator comprising; and

the one or more processors being further configured to;

parse the signed message to obtain the second nonce, the signature, and the public key;

compare the first nonce with the second nonce;

validate the second nonce based on the comparison of the first nonce and the second nonce;

verify the signature of the signed message using the public key, andallow the client computing device to access the stored network settings for use within the network, in response to a successful validation of the second nonce and a successful verification of the signature.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure network location awareness is provided whereby a client is able to use appropriate settings when communicating with an access node of a communications network. In an embodiment a client receives a signed message from the access node, the signed message comprising at least a certificate chain having a public key. In some embodiments the certificate chain may be only a self-signed certificate and in other embodiments the certificate chain is two or more certificates in length. The client validates the certificate chain and verifies the signature of the signed message. If this is successful the client accesses stored settings for use with the access node. The stored settings are accessed at least using information about the public key. In another embodiment the signed message also comprises a location identifier which is, for example, a domain name system (DNS) suffix of the access node.

Citations

20 Claims

1. A client system comprising:
- one or more processors configured to generate a first nonce used as a first freshness indicator;
  
  an output device circuitry configured to send a network request to an access node of a communications network, the access node being certified by a common root certification authority, the request containing the first nonce;
  
  a memory configured to store network settings based on information received from at least one other access node different from the access node, the other access node having been certified and bound into one logical network location with the access node by the common root certification authority of the access nodes;
  
  an input device circuitry configured to receive a signed message from the access node of the communications network, the signed message comprising a signature, a location identifier, a public key, and at least a second nonce used as second freshness indicator comprising; and
  
  the one or more processors being further configured to;
  
  parse the signed message to obtain the second nonce, the signature, and the public key;
  
  compare the first nonce with the second nonce;
  
  validate the second nonce based on the comparison of the first nonce and the second nonce;
  
  verify the signature of the signed message using the public key, andallow the client computing device to access the stored network settings for use within the network, in response to a successful validation of the second nonce and a successful verification of the signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A client computing device as claimed in claim 1 wherein the public key is conveyed as a part of a certificate chain.
  - 3. A client computing device as claimed in claim 2 wherein the certificate chain comprises only a self-signed certificate.
  - 4. A client computing device as claimed in claim 1 wherein the public key is the root public key of a certificate chain and the client computing device is further configured to check that the location identifier matches a name in the certificate chain.
  - 5. A client computing device as claimed in claim 4 wherein the location identifier is a domain name system (DNS) suffix and the client computing device is configured to check that the location identifier isa suffix of a fully-qualified domain name of the access node, that fully-qualified domain name being provided in the certificate chain.
  - 6. A client computing device as claimed in claim 1 wherein the sent first freshness indicator comprising a first nonce comprises a random number or a pseudo-random number.
  - 7. A client computing device as claimed in claim 1 wherein the client computing device is configured to access the stored settings using a hash of at least the public key and the location identifier.
  - 8. A client computing device as claimed in claim 1, wherein the client computing device is configured to select settings for use with the access node during a current connection, wherein the settings were acquired during a connection prior to the current connection, and storing information about the selected settings together with information about a public key advertised by the access node.
  - 9. A client computing device as claimed in claim 8 wherein the client computing device is further configured to store information about the selected settings together with information about the public key and information about a location identifier provided by the access node.

10. A method of granting access for a client commuting device, the method comprising:
- generating, by one or more hardware processors, a first nonce used as a first freshness indicator;
  
  sending, by an output device circuitry, a network request to an access node of a communications network, the access node being certified by a common root certification authority, the request containing the first nonce;
  
  storing network settings based on information received from at least one other access node different from the access node, the other access node having been certified and bound into one logical network location with the access node by the common root certification authority of the access nodes;
  
  receiving, by an input device circuitry, a signed message form the access node of the communications network, the signed message comprising a signature, a location identifier, a public key, and at least a second nonce used as second freshness indicator;
  
  parsing the signed message to obtain the second nonce, the signature, and the public key;
  
  comparing the first nonce with the second nonce;
  
  validating the second nonce based on the comparison of the first nonce and the second nonce;
  
  verifying the signature of the signed message using the public key, andallowing the client computing device to access the stored network settings for use within the network, in response to a successful validation of the second nonce and a successful verification of the signature.
- View Dependent Claims (11, 12)
- - 11. The method as claimed in claim 10, further comprising receiving an authenticated location identifier from the communications network and including the location identifier in input to the cryptographic hash function.
  - 12. The method as claimed in claim 11, further comprising checking that the location identifier matches a name in the certificate chain.

13. One or more computer-readable memory storing computer-readable instructions that, when executed on a processor of a client computing device, configure the processor to perform a series of acts comprising:
- generating a first nonce used as a first freshness indicator;
  
  sending, by an output device circuitry, a network request to an access node of a communications network, the access node being certified by a common root certification authority, the request containing the first nonce;
  
  storing network settings based on information received from at least one other access node different from the access node, the other access node having been certified and bound into one logical network location with the access node by the common root certification authority of the access nodes;
  
  receiving, by an input device circuitry, a signed message from the access node of the communications network, the signed message comprising a signature, a location identifier, a public key, and at least a second nonce used as second freshness indicator;
  
  parsing the signed message to obtain the second nonce, the signature, and the public key;
  
  comparing the first nonce with the second nonce;
  
  validating the second nonce based on the comparison of the first nonce and the second nonce;
  
  verifying the signature of the signed message using the public key, andallowing the client computing device to access the stored network settings for use within the network, in response to a successful validation of the second nonce and a successful verification of the signature.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The one or more computer-readable memory as claimed in claim 13, the series of acts further comprising receiving an authenticated location identifier from the communications network and including the location identifier in input to the cryptographic hash function.
  - 15. The one or more computer-readable memory as claimed in claim 14, the series of acts further comprising checking that the location identifier matches a name in the certificate chain.
  - 16. The one or more computer-readable memory as claimed in claim 15, the series of acts further comprising checking that the certificate chain comprises only a self-signed certificate.
  - 17. The one or more computer-readable memory as claimed in claim 15, the series of acts further comprising checking that the location identifier is a suffix of a fully qualified domain name, the fully qualified domain name being provided in the certificate chain.
  - 18. The one or more computer-readable memory as claimed in claim 13, the series of acts further comprising receiving a location identifier from the communications network, wherein the location identifier includes a domain name system (DNS) suffix advertised by the server and the other server.
  - 19. The one or more computer-readable memory as claimed in claim 13, wherein the first freshness indicator is a random number.
  - 20. The one or more computer-readable memory as claimed in claim 13, wherein the first freshness indicator is a pseudo-random number.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Aura, Tuomas, Roe, Michael, Murdoch, Steven
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Kabir, Jahangir

Application Number

US11/854,333
Publication Number

US 20090070582A1
Time in Patent Office

2,526 Days
Field of Search

726/1, 713/150, 713/155, 713/156, 713/157
US Class Current

726/1
CPC Class Codes

H04L 2209/80   Wireless

H04L 63/0823   using certificates cryptogr...

H04L 9/3265   using certificate chains, t...

Secure network location awareness

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure network location awareness

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links